This is what happens when the source code isnt open to review.
Microsoft has been committing class war against computer users since the 90's and they get all butt hurt as soon as someone holds their code to the flame.
this post was submitted on 27 May 2026
918 points (99.2% liked)
Technology
85110 readers
4002 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 3 years ago
MODERATORS
I can't imagine what nightmarish vulnerabilities Microsoft knows about and is hiding because they would require too much effort to patch. I bet there are some really crazy things that have probably been wide open for decades if you only knew where to look.
Maybe like bitlocker 🤔 It's almost like keeping windos closed source enables the government to keep exploits to themselves. But that can't be the truth... can it?
Eclipse implies that Microsoft ignored or refused their zero-day reports and/or did not pay out bounties as requested, somehow causing financial harm in the process.
“Somehow?”
Were the bounties not earned? Because simply not paying as a promised for services rendered is a very clear financial harm.
Responsible disclosure is a kindness; it is not required--especially if/when the vendor doesn't act in good faith.
MS shouldn't be able to silence researchers, but that's what the industry gets by voluntarily clustering around a single, proprietary service.
I don't think either party should be compelled to take (or reverse) any action.
Exactly. Thank you Microsoft do more of this so we end up in a federated world.
HACK THE PLANET's windows
If she's going for maximum damage, I am surprised this person doesn't just announce when she's found a big exploit, and then just sell it to up to 10 people, and then announce in very vague terms what the exploits are. (Like, "just sold exploit for windows defender" or "just sold way to hack into bitlocker").
It seems like the vagueness of such things would make corporations more worried about being hacked and Microsoft could only guess as to what specific code was hacked, costing them greater resources.
Yes, it would be illegal, and therefore I hope she doesn't do that and recommend against it. But I am just surprised, given the level of anger, that she has been approaching things in a way that is so easy to patch.
Is her approach more damaging the way she's actually doing it?
Would it actually be illegal? Im not a lawyer or anything, but im not sure what crime it would be. Using the exploit to hack someone would be illegal, but I cant see why developing and selling an exploit would be
Its a fine line between getting revenge on Microsoft and screwing over human beings that trusted them. I wouldn't be surprised if a bitlocker zero day got someone killed, given the number of people using it around the world.
I wouldn't be surprised if a bitlocker zero day got someone killed
How would it get someone killed?
Because people keep secrets on computers. You cave the combination of a tiny percentage of people who have secrets that are life threatening, and millions of people use bitlocker because its built into Windows. Its a tiny number times a huge number.
If I had to guess, that might include journalists who investigate authoritarian regimes, activists who keep their identity secret, and minorities who live in countries where their identity is a capital crime.
Then there are probably also governments who rely on bitlocker to secure the computers of people with state secrets like the identities of spies. Probably lots of other weird edge cases.
Image a dissidents hard drive and break into it later when an exploit drops. Selling to an exploit broker is even worse sense the individual would never know how or if a government intelligence agency got all their personal data because they expect it do be secured.
Best of luck to him on his crusade. Full support!
friendly reminder there is a github replacement for opensource made by framasoft I think
Man, Microsoft just keeps footgunning this one.
Every new exploit, they clearly have a meeting and convince themselves "that's gotta be the last of it, right?"
So the next day-after-patch-tuesday rolls around and lo and behold, this guy drops some more nukes on their reputation as far as their most important customer demographic are concerned (corporate IT)
Given this genuinely does seem to stem from Microsoft mishandling this guy, why the fuck do they keep escalating
Puts a lot of evidence towards his claims that Microsoft was behaving badly from the outset and the reason why he started doing this. They keep escalating. Its a war they started.
you know, since this little saga began I've had this tiny voice in my head hoping this one vindictive dude is, eventually, directly responsible for Microsoft going out of business/doing severe restructuring or downsizing as a consequence of businesses losing faith in the company's products. Lots of people already raise an eyebrow at Windows 11's issues, things like "all our shit is fundamentally insecure because microslop left a backdoor in [insert critical thing here], and has been for [weeks/months/years/???]" tend to have an adverse effect on sales, especially to risk-averse business customers. It's not impossible to imagine that continued "holy fuck what 0day exploit just dropped?" incidents, on the level of YellowKey, happening every month, could result in businesses deciding to drop their enterprise licensing of MS products; and that's going to hurt. That's where a big chunk, if not the biggest chunk iirc, of their revenue comes from. It's unlikely, it's a longshot, but I'm allowed to have hope.
I'm especially now wondering, if YellowKey was the teaser -- you know, just casually revealing a backdoor in BitLocker, like nbd -- what the actual fuck are they going to drop in July? If that's the appetizer, how juicy's the entree gonna be?
I think as long as nothing actually happens, other companies wont care. No one is capable of thinking about the future anymore, there is only next quartal and short term profits.
It might actually be needed for something big to go down first, like those 0day exploits actually get exploited and some client company or few loses a lot of money because of it. Considering how unsecure windows is, i'm a bit perplexed how nothing hasn't happened already.
Some of the other 0days this guy released are already being actively exploited in the wild, but no reports of big losses as a result of them yet. Having said that, the entire point of BitLocker was that it was full disk encryption that you didn't have to think too much about; and now I bet every corporate IT department out there is looking at it with suspicion. If this guy can keep delivering on "things that keep sysadmins awake at night", like "oh god every hard drive we've had stolen in the last few years can be fully decrypted now", eventually a lot of them will decide it is less harrowing and less work to move their entire stack away from Microsoft than it is to live with them.
They'd better not be overselling this bomb they're gonna drop in July. I'm already moved over to Linux fully now, to quote photonicinduction: I want flames. I don't just want to see it all over the tech news, I'm hoping he screws with them hard enough the story makes it to actual TV news channels.
load more comments
(1 replies)
Very little seems to be beyond the incredulity of MS meetings, remember they had a meeting where someone suggested the OS take a screenshot every ten seconds of whatever the user was doing and upload it to MS servers and rather than everyone laughing they agreed to move it into development.
load more comments
(7 replies)
load more comments
(14 replies)
If the guy exposing the exploits is the be believed, they notified MS (or attempted to) and were ignored and then actively rebuffed. Then MS deleted the account (and the proof that this person actually reported these vulnerabilities/bugs).
Even if this person is lying I'm more likely to believe MS is the bad guy here. It seems like bullying to me. That and an attempt to mask the problems at the company because they have been getting a lot of bad press and are having trouble with the entirety of windows 11 which they forced on people and they keep breaking. The adoption rate of windows 11 being so bad also lends credence to what this person is claiming.
Microsoft has always been an evil company, but wow they are trying their hardest to reach Gates level of shit
load more comments
(1 replies)
“Hey, let’s piss off the security expert who’s really good at finding flaws in our products. There’s literally no downside.”
"Oh, the one who just published two exploits on our product, after we fucked them over during the responsible disclosure process? Great idea! What are the chances they'll find another one, right?
He's done more than two. This was his second round of releases. He was also the one that found the vulnerability in Windows Defender.
I feel that companies like Microsoft have forgotten that bug bounties and ethical reporting are the compromise where they agree to pay a fair amount for the bugs and are given time to fix them and the security researcher forgoes the 10x price they could get on the black market.
Given the rise in mercenary hacking/spyware corporations, the bug researchers could probably get way more money through those alternate, and still legal, channels.
So I hear.
And this is why if you're going to post something like this, you host your own git. Or use something like codeberg.
The dichotomy here is you can't be famous hosting exploits on smaller forges. Gotta be on the big platforms where you can be starred and forked for social media cred to make news stories to impress your friends. IIRC I think HeartBleed (maybe ShellShock?) was the tip of this popularity iceberg...
Does anyone care about stars?
Openclaw is the most starred repo in years (i wonder why) and is incredibly niche.
Stars are kind of a scam.
load more comments
(2 replies)
load more comments
(1 replies)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Okay,
So let me get this straight, when I actively asked you to communicate with me, you refused, humiliated me and made sure to insult me in front of people.
You defame me in public with your CVE-2026-45585 advisory even though you literally deleted the Microsoft account I used to report bugs to you with and I got zero pennies from doing so and I still happily did like an idiot.
Now you take the courtesy to flag my github account and wipe it out of the public, just like that ? You are proving to everyone that you actively escalating this conflict but I'm done begging you.
I might sound like crazy idiot who is whinning around but I have proof for every single word I said, I just can't release it yet. Why ? Microsoft still has chains in my hands, it's been like this for years and I just can't stay silent anymore. I hope I can release the documents soon.
Mark this date July 14th, I will make sure your bones are shattered that day. Nothing will be released this June (or maybe I will release smtg, depending on circumstances).
Also,
CVE-2026-45498 is UnDefend
CVE-2026-41091 is RedSun
New GitLab account,
https://gitlab.com/nightmare-eclipse
-----BEGIN PGP SIGNATURE-----
iHUEARYKAB0WIQRJTvAf/AWVhAKEeb7FFoRCS0/SbAUCahGg+gAKCRDFFoRCS0/S
bBMIAPsEczivsL71pbJizJHHlNNOf9guPAFFshJhhkwrDrwZ5wD/Vz6Z+d6vSvhQ
uVrEh4lPM84Q8+J56RLa50Zp46QLkAY=
=8wON
-----END PGP SIGNATURE-----
https://deadeclipse666.blogspot.com/
Their account on GitLab is already blocked https://gitlab.com/nightmare-eclipse
load more comments
(23 replies)
Microsoft has been mum on any details about these matters, so it's hard to tell if the situation is about an uncooperative researcher who doesn't follow standard disclosure rules or a company being difficult about security reports. Regardless, the move to ban Eclipse's GitHub account makes for poor optics, as it is being heavily criticized, and ultimately achieves nothing for security, since the code is out there anyway.
Classic Streisand effect. Just two years ago Satya Nadella publicly announced they're prioritizing security above all else, but now have nothing to say about these exploits and are trying to silence the researcher? Viewing from the sidelines, it did seem a bit reckless how Eclipse was dropping these as zero days, but Microsoft's actions speak louder than words and they probably didn't pay for the bounties.
load more comments
(5 replies)
I wonder if the dude happened to find an internally documented backdoor intended for use by government actors? Or most likely they just don’t wanna deal with it and the perceived fastest way to deal with it is to try and bury it. Both could be true, but I’m just speculating.
Their april 15th blog post explicitly calls it a backdoor and mentions it was very well hidden. I'm interested to see what comes of this
load more comments
(4 replies)
load more comments
(3 replies)
I'm surprised admins found a window large enough when github wasn't down to ban the researcher.
Microsoft closed the case after the reporter refused to submit a video of the exploit
They don't have any actual fucking security experts there, so they require video proof that ape will understand.
Posting zero day exploits on github is a shit move. But Microsoft should be happy that this guy posted it on github rather than selling it on the black market.
Banning his guthub account won't make zero day vulnerabilities go away ffs.
You can well imagine that this reaction will fall on fruitful ground that some security experts will think twice about sending it to M$ or better selling it on the dark web, especially zero day exploits! Hell, boy, Microsoft does not seem to know with whom they are messing with.
load more comments
(3 replies)
Is this the bitlocker backdoor? That's not an exploit / zeroday
Thats making a backdoor be known.
load more comments
(2 replies)
The saga has drawn speculation from other experts, like William Dormann from Tharros, who said that "MSRC used to be quite excellent to work with. But to save money, Microsoft fired the skilled people, leaving flowchart followers. I wouldn't be surprised if Microsoft closed the case after the reporter refused to submit a video of the exploit, since that's apparently an MSRC requirement now."
. . . In this day and age, when AI-powered security research has arguably made the standard 90-day disclosure-to-patch window completely obsolete, and both time-until-exploit and unused exploits are both nearing zero, Microsoft and other software players would do well to adjust their policies.
That's such an insane aside. 90-day disclosure-to-patch. Craziness.
On the other hand, this is exactly the way microsoft has been for - easily - 30 years. Like, 1996 microsoft could be slotted into today and literally nothing would change. Other than Nadella would probably be on a bunch of coke.
Didn't Google also recently used their stupid AI to find exploits in FFMPEG and then blackmailed them to fix it before deadline or they will release them to the public? If banning a dev for such "act" is right, then banning the company should also be right. Ban all of them.
load more comments
(7 replies)
I'm no expert. Is this an issue where MS is refusing to pay bounties to the researcher for finding the bugs, and MS follows up by deleting the researcher's git hub? Am I missing anything? If I understand the basics, this is how you turn a white hat into a black hat. Good job microslop.
load more comments
(4 replies)
view more: next ›